The dolls have ears

As our modern lives become more conveniently connected by “smart” phones, appliances, toys and the like, it’s worth pausing to consider the privacy and security implications of inviting these devices into our homes.

Out of the mouths of baby dolls

Take, for example, the My Friend Cayla doll, an interactive toy that engages children in conversation. She connects via Bluetooth to an app installed on a phone or tablet. When children talk to her, Cayla records what they say and converts the audio recording into text. The text is then transmitted over the Internet to a third party database where it is used to look up answers, which are then relayed back to Cayla to speak.

Within Cayla’s app, children are also prompted to give personal information, including their name and their parents’ names, their favorite toy, TV show and food, their school and where they live. Cayla uses this information to chat with children about their day, play games, answer questions and even offer instructions on how to bake a cake.

How secure is Cayla and the data she collects? Not secure enough, according to Germany’s Federal Network Agency, which banned the toy earlier this year:

“There is a particular danger in toys being used as surveillance devices: Anything the child says or other people’s conversations can be recorded and transmitted without the parents’ knowledge. A company could also use the toy to advertise directly to the child or the parents. Moreover, if the manufacturer has not adequately protected the wireless connection (such as Bluetooth), the toy can be used by anyone in the vicinity to listen in on conversations undetected.”

In the United States, a group of consumer advocates has filed a complaint with the U.S. Federal Trade Commission, requesting an investigation into the toy.

“This complaint concerns toys that spy. By purpose and design, these toys record and collect the private conversations of young children without any limitations on collection, use, or disclosure of this personal information. The toys subject young children to ongoing surveillance and are deployed in homes across the United States without any meaningful data protection standards. They pose an imminent and immediate threat to the safety and security of children in the United States.”

The BBC also covered the story, talking with security researchers at Pen Test Partners to get an inside look at how vulnerable Cayla is to hacking.

Don’t play dumb about smart devices

In July this year, the U.S. Federal Bureau of Investigation issued an alert to consumers that Internet connected toys could pose a security and privacy risk in the home. While the weaknesses in the Cayla doll are alarming, Internet of Things (IoT) products are here to stay, and usage is growing. The number of  devices is projected to reach over 46 billion by 2021, according to Juniper Research.

But just because a doll can be hacked doesn’t mean IoT is destined for a bleak future. If there’s an immediate take away, it’s that manufacturers must be more responsible about data collection and storage, and consumers must be vigilant and demand higher security standards.

What do you think?

As part of Mozilla’s work keeping the Internet safe, secure and healthy, we’re asking you to share your thoughts.

Take our quick survey to let us know how you feel about being connected.

Your input helps Mozilla to run advocacy campaigns, to create web literacy curriculum and more. We’ll share the results in a few weeks. Your responses will help us understand how we can work together to create a safer connected future for us all.

IRL with Veronica BelmontGet more real talk

We react against the idea of surveillance, but it turns out that we’ve invited it into our homes through devices like digital assistants, connected toys and baby monitors. Are you comfortable with the idea that someone might be watching you or listening to you right now?

Listen as we explore these issues in I Spy With My Digital Eye, the latest episode of IRL, an original podcast from Mozilla, hosted by Veronica Belmont.

Find IRL on our Website, and subscribe wherever you get your podcasts.


Share on Twitter